I’m using the zoom app sdk in a web app. I want my web app to make API calls to my server. I need to cryptographically verify that these calls came from a valid web app session, and not a malicious 3rd party.
I do not want to send the user through an Oauth path. I don’t need permission to do anything on their behalf. I only need to ensure that the traffic is valid.
I found some mentions of getting a session token or a signed context object, but I can’t find any documentation and everything I tried failed. It seems like there should be a way to obtain an object with the meeting ID and user ID that’s signed and can be validated if I know the shared secret that was used to sign it.
This must be a common use case, right? How do I ensure that traffic to my backend API, and the meeting ID and user ID, are valid?